Forgot your password?
typodupeerror
News

Internet Backbone DDOS "Largest Ever" 791

Posted by chrisd
from the spinal-tap dept.
wontonenigma writes "It seems that yesterday the root servers of the internet were attacked in a massive Distributed DoS manner. I mean jeeze, only 4 or 5 out of 13 survived according to the WashPost. Check out the orignal Washington Post Article here."
This discussion has been archived. No new comments can be posted.

Internet Backbone DDOS "Largest Ever"

Comments Filter:
  • And... (Score:4, Funny)

    by Cinematique (167333) on Tuesday October 22, 2002 @07:41PM (#4508841)
    it's supposed to withstand a nuclear war?
    • Re:And... (Score:4, Insightful)

      by kidlinux (2550) <duke&spacebox,net> on Tuesday October 22, 2002 @07:44PM (#4508885) Homepage
      A nuclear war isn't an attack on the networks themselves. This, however, is an attack on the networks.
      A subterranean bunker is designed to withstand nuclear wars, but what do you think would happen if the nuke was inside the bunker?
    • Re:And... (Score:5, Informative)

      by no soup for you (607826) <jesse.wolgamottNO@SPAMgmail.com> on Tuesday October 22, 2002 @07:49PM (#4508930) Homepage
      it's supposed to withstand a nuclear war?

      Article: "The Domain Name System (DNS), which converts complex Internet protocol addressing codes into the words and names that form e-mail and Web addresses, relies on the servers to tell computers around the world how to reach key Internet domains."

      The "IP system" should have been fine. The DNS system, which has become an integral part of the "internet" is not decentralized as regular internet infrastructure is. Yes it is supposed to withstand a nuclear war, and yes, it would have. btw, the system worked yesterday. only 4 of 13 may have survided, but the system still ran.

      We can have the internet without dns, but we cannot have dns without the internet

      • Re:And... (Score:5, Informative)

        by Istealmymusic (573079) on Tuesday October 22, 2002 @08:04PM (#4509058) Homepage Journal
        You make some good points, but the Domain Naming Server system is in fact largely distributed. Ever notice how when you configure your network stack you have enter a DNS server? That's your ISP's DNS server, its not one of the 13 root servers. Verizon gives its users 3 servers for translating numbers to names: vnsc-pri.sys.gtei.net (4.2.2.1), vnsc.bak.sys.gtei.net (4.2.2.2), vnsc-lc.sys.gtei.net (4.2.2.3), and for internal use, i-will-not-steal-service.gtei.net (4.2.2.4), Earthlink has 207.217.120.109, and even the smallest local ISP has its own DNS server.

        DNS is hierarchical, both is naming and in server implementation. Small ISPs cache their DNS from more major providers, up until the A to J.ROOT-SERVERS.NET main Internet servers. There is in fact one critical file, but it is mirrored to the 13 root servers, and domain look-ups are cached at the ISP level. I'm not suprised most Internet users were not affected, you wouldn't be affected if several large mail servers where DDoSed would you?

        • Re:And... (Score:4, Interesting)

          by nege (263655) on Tuesday October 22, 2002 @08:09PM (#4509092) Journal
          doesnt have to be your own ISPs DNS servers though right? I have been using earthlink's for about 3 years though have not been a customer of theirs...
          • Re:And... (Score:4, Informative)

            by Istealmymusic (573079) on Tuesday October 22, 2002 @08:33PM (#4509251) Homepage Journal
            Correct, I know of no DNS servers, even djbdns [cr.yp.to] DNS', which restrict queries to a limited IP range as is common with SMTP. There's not really a large risk in opening up your DNS to everyone, in fact, you there are plenty of alternate DNS root servers [jerky.net].
            • Re:And... (Score:5, Informative)

              by Neon Spiral Injector (21234) on Tuesday October 22, 2002 @08:59PM (#4509405)
              You mean like
              acl XXX {
              xxx.xxx.xxx.xxx/20;
              }

              options {
              allow-query { localhost; XXX; };
              ...
              };
              ?

              That's what I do with BIND9.
            • Re:And... (Score:5, Informative)

              by Electrum (94638) <david@acz.org> on Tuesday October 22, 2002 @10:28PM (#4509850) Homepage
              Correct, I know of no DNS servers, even djbdns [cr.yp.to] DNS', which restrict queries to a limited IP range as is common with SMTP. There's not really a large risk in opening up your DNS to everyone, in fact, you there are plenty of alternate DNS root servers [jerky.net].

              You don't know what you are talking about. There are two different types of DNS servers: authoritative servers and recursive resolvers. djbdns comes with tinydns, an authoritative server and dnscache, a recursive resolver. The two are completely separate. BIND includes both in the same server, which is why many people are confused into thinking they are the same thing.

              tinydns does not restrict queries to only certain IP addresses. However, it can return different information depending on the source address of the query. This is usually called split horizon DNS.

              dnscache does have access control. You do not want just anyone to be able to query your recursive resolvers. With dnscache, you need to explicitly allow access [cr.yp.to] for IP's that can query it.

              There are not risks in opening your content (authoritative) DNS servers to everyone. There are risks in opening up your resolvers to everyone.
            • Re:And... (Score:5, Interesting)

              by Kiwi (5214) on Wednesday October 23, 2002 @03:51AM (#4511007) Homepage Journal
              The reason my DNS server [maradns.org] does not have this is because this is best done at the networking level; in other words, setting up a firewall to not allow connections to the DNS server.

              What my DNS server does is mandate an ACL (list of IPs allowed to make recursive queries; this can be set to "all hosts on the internet" if desired) if recursion (talking to other DNS servers) is enabled. Recursion takes a lot more work to do than authoritative requests; it is best to limit access to this.

              Unlike Dan, I feel that a DNS server should be both recursive and authoritative because it allows one to customize the resolution of certain hostnames. The idea is similiar to /etc/hosts, but also works with applications which ignore /etc/hosts and directly perform DNS queries. For example, I was able to continue to connect to macslash.com [slashdot.org] when a squatter bought the domain and changed its official ip; I simply set up a zone for macslash.com, and made MaraDNS both recursive and authoritative.

              SMTP servers have IP restrictions at the application layer because this gives people some idea why they can't send email to a given host. A firewall restriction gives a vague "connection timed out" message in the bounce email message; application-level filtering allows the bounce message to say something like "You're from a known Spam-friendly ISP; go away".

              - Sam

        • Re:And... (Score:4, Informative)

          by no soup for you (607826) <jesse.wolgamottNO@SPAMgmail.com> on Tuesday October 22, 2002 @08:27PM (#4509212) Homepage
          Earthlink has 207.217.120.109, and even the smallest local ISP has its own DNS server.

          You're correct in that there are more than 13 DNS servers.I've got my own, which may or my not lie - it's these 13 that are "trusted" ... so to speak.

          Now, when you're configuring your network stack, in fact, when you described to me the various DNS servers, what is the important part- the name or the IP number? the number - which helps to prove my point that IP is more important than DNS.

          • Re:And... (Score:4, Interesting)

            by Istealmymusic (573079) on Tuesday October 22, 2002 @08:30PM (#4509230) Homepage Journal
            Yes, IP is more important than DNS. But is Ethernet more important than TCP?
        • by xant (99438) on Tuesday October 22, 2002 @08:35PM (#4509265) Homepage
          There's only one critical file? Hey, just email it to me, I'll keep it on my hard drive. If anyone needs it, just shoot me an email.
          • Re:One critical (Score:5, Informative)

            by Istealmymusic (573079) on Tuesday October 22, 2002 @08:42PM (#4509308) Homepage Journal
            Sure, do an AXFR (A-record transfer) with DiG on a root server. Of course, you have to be a priviledged user--AXFR requires full-duplex TCP instead of an ordinary UDP connection, so unfortunately *.root-servers.net and *.gtld-servers.net don't allow transfers. Yet some of the international country-code TLDs (ccTLDs) allow AXFR transfers [securityfocus.com]; if you wanna host .AG or whatever just do a dig axfr and you're good to go.
          • by alfaiomega (585948) <alfaiomega@despammed.com> on Tuesday October 22, 2002 @10:36PM (#4509885) Homepage

            There's only one critical file? Hey, just email it to me, I'll keep it on my hard drive. If anyone needs it, just shoot me an email.

            OK, I'll send you my HOSTS.TXT file. But remember to update it every few weeks because the ARPAnet is growing faster then ever after the adoption of this new, fancy, so called "TCP/IP" technology.

          • by mysticalreaper (93971) on Tuesday October 22, 2002 @11:57PM (#4510270)
            Well, you guys can rest easy, i sent xant an email. I said:

            "Hey xant,

            I've attached the critical file you alluded to in your comment at http://slashdot.org/comments.pl?sid=43025&cid=4509 265.

            Keep it on your hard drive in case we all need it. :)"

            Heh. In case his hard drive goes, maybe a couple other people should get it from here [internic.net].
        • Re:And... (Score:5, Informative)

          by aredubya74 (266988) on Tuesday October 22, 2002 @08:50PM (#4509351)
          Verizon gives its users 3 servers for translating numbers to names: vnsc-pri.sys.gtei.net (4.2.2.1), vnsc.bak.sys.gtei.net (4.2.2.2), vnsc-lc.sys.gtei.net (4.2.2.3), and for internal use, i-will-not-steal-service.gtei.net (4.2.2.4) Actually, an interesting note on how this is configured. Genuity (aka GTEI aka BBN Planet), who hosts these DNS resolvers, has a simple, but effective distribution system for redundancy. There are actually several servers on AS 1 that will respond as 4.2.2.1 or .2. /32 routes are sprinkled into IGP within the network to try and route requests to the "closest" server that can answer the request. If one is in trouble, simply pull the route to it, and requests route elsewhere. It's not foolproof, as a DDOS would likely come from all borders and overwhelm all of the various servers, but it's pretty effective nontheless.
        • Not quite. (Score:4, Informative)

          by mindstrm (20013) on Tuesday October 22, 2002 @09:02PM (#4509419)
          Smaller isp's dont'cache info from larger ones... most dns servers simply use the root servers directly. There is no heirarchy beyond that with regards to caching.

          It is heirarchial with regards to namespace, but not so much with regards to lookups.

        • by msobkow (48369) on Tuesday October 22, 2002 @09:56PM (#4509693) Homepage Journal

          Ordinary Internet users experienced no slowdowns or outages because of safeguards built into the Internet's architecture.

          Bullshit.

          I had obvious impacts trying to resolve DNS names during the time period of the attack (Delaware AT&T), despite having a caching name server on my local net, which queries AT&T's caching (primary?) servers.

          ISPs should be responsible for providing the DNS services to their customers in timely and reliable fashion, querying their backbone providers in turn. Direct queries of the root servers by subnets should be verboten and expressly blocked by the ISP firewalls. If you need to resolve an refresh, probe the ISP DNS and let their system handle the distribution. That way the root servers become repositories and key distribution points instead of failure points like yesterday.

          I'm sure someone will object that they have the "right" to use whatever ports they want and that they don't want to rely on the stability of their ISP's servers, but we're talking about the infrastructure people! We have no more "right" to hit the root directly than to clamp a feed from the power company mains to the house or splice into the cable TV/broadband wiring.

          If we don't protect and distribute infrastructure resources adequately, everyone is affected. And if your ISP has servers that are too unreliable for this type of filtered distribution to work, change providers!

          • by 0x0d0a (568518) on Tuesday October 22, 2002 @11:31PM (#4510147) Journal
            And by golly, we should eliminate all functionality of the Internet other than port 80 outbound (through a transparent proxy) and port 25 and 110 (only to the ISP's mail server), and DNS to the ISP's name server.

            After all, 99.5% of people wouldn't notice, and who *really* cares about the remaining .5%?

            I really loathe the growing trend towards firewalling everything that moves. Mail outbound, other than to the ISP's mail server. Napster. Ping packets. It's really annoying to the people who actually *do* want to use said functionality.
            • by msobkow (48369) on Wednesday October 23, 2002 @12:02AM (#4510297) Homepage Journal

              You want full functionality? Sign off with your ISP for the appropriate connection service. If you pay for a small business link, you get the higher level access, and also take responsibility for the maintenance and security of your node. You get hacked, you participate in DDOS attacks, you should be financially responsible. If you really know your stuff to use the extra functionality, you should have no issue with taking responsibility for the risks incurred.

              Don't want to pay more? Don't want to be responsible? Don't get the access.

              There is no such thing as "rights" when your activities impact others. If you aren't willing to stand up and be responsible for your traffic (subnet/link/servers), then internet "society" has the responsibility to protect the rest of the community from you.

              If the internet is truly as critical to business as we all hope it to be, it only stands to reason that people are going to have to get "licenses" to run full service nodes and subnets. You don't get to drive without a license to demonstrate that you at least have the education and skills to do so safely -- why would you expect to do otherwise on the 'net?

              • by 0x0d0a (568518) on Wednesday October 23, 2002 @02:15AM (#4510697) Journal
                You want full functionality?

                Yes, I do. The same peer-to-peer functionality that hosts on the Internet have had forever. I got my fill of "Internet access", but not being an Internet peer when everyone was selling dialup shell accounts but not PPP.

                Sign off with your ISP for the appropriate connection service.

                So *I* should pay *more* for them to do *less* work?

                That's as bad as the pay-extra-if-you-don't-want-your-number-listed phone company procedure.

                If you pay for a small business link, you get the higher access level, and also take responsibility for the maintenance and security of your node.

                I *already* take responsibility for the maintenance and security of the node. I don't need to pay any more money to take said responsibility.

                You get hacked, you participate in DDoS attacks, you sould be financially responsible.

                There's no legal difference between a business and a home account from a financial responsibility point of view. What are you talking about?

                If you really know your stuff to use the extra functionality, you should have no issue with taking responsibility for the risks incurred.

                I *don't* have an issue with that. I just don't want to pay inflated business-class prices for standard peer-to-peer access.

                Don't want to pay more?

                Not particularly, no.

                Don't want to be responsible?

                Well, I'd kind of prefer to not be responsible ( :-) ), but I'll certainly accept it.

                Don't get the access.

                Conclusion does not follow.

                There are [sic] no such thing as "rights" when your activities impact others.

                You seem to have misquoted me. I did not use the word "rights" anywhere in my original post, or claim that I had any such rights (legal or ethical) whatsoever. I did say that it was *annoying* to me.

                If you aren't willing to stand up and be responsible for your traffic

                Where, where, did you get the impression that I said this at all?

                If the internet is truly as critical to business as we all hope it to be, it only stands to reason that people are going to have to get "licenses" to run full service nodes and subnets.

                That has no bearing whatsoever on my argument. I also don't think that the potentially critical relationship to business can be said to imply that one needs a license. Electricity is quite critical to US industry (hell, it's physically dangerous), yet one doesn't need a license to utilize it.

                You don't get to drive without a license to demonstrate that you at least have the education and skills to do so safely -- why would you expect to do otherwise on the 'net?

                Still has no bearing on my argument.

                Furthermore, I'd like to point out again that screwing up while driving can easily end up with many people dead. Even with the license system, cars are the leading cause of death of teens and young adults. I don't think you can compare that at all to the Internet, where maybe someone gets a Code Red infection. The Internet is important, but not knowing what you're doing on the Internet is wildly different (at least currently) from being an active threat to the lives of others.
        • Re:And... (Score:5, Informative)

          by mysticalreaper (93971) on Tuesday October 22, 2002 @11:37PM (#4510170)
          You say:
          You make some good points, but the Domain Naming Server system is in fact largely distributed.
          and then you say:
          DNS is hierarchical, both is naming and in server implementation.

          Ok hold on here. It's both hierarchial, implying something at the top that everything is based on, and at the same time, distributed, implying that it's not dependand on some central source? Dude, you're contradicting yourself, and so you're wrong.

          The truth is that the DNS system IS heirachial. ICANN runs the root. They say what information goes in at the highest level. The dot-com, and dot-aero, and dot-useless and so on. That is why there is so much scrutiny on ICANN for operating fairly [icannwatch.org]. They are the people who decide how the DNS system will be run, because they are at the top of the hierarchy.

          "But wait!" you say, "Aren't there 13 root servers? That's distributed right there." Yes, but you are only half right. The LOAD is distributed, not the information. So you're distributing the LOAD, but the info is exactly the same on each one. And that info is controlled by ICANN.

          Oh and yes, you CAN get that one file of information that the root servers have. Really you can. Take a look for yourself. Log into ftp://ftp.rs.internic.net/domain [internic.net] and get root.zone.gz [internic.net]. If you look at that file, you'll see it's a list of all the servers for all the TLDS. .ca, .uk, .fr, .com, .net. Everything. There's also a list of all the root servers: named.root [internic.net] There's other info there, but i'm sure you can find it yourself.
      • Re:And... (Score:5, Funny)

        by alphaseven (540122) on Tuesday October 22, 2002 @08:22PM (#4509181)
        That's why I have "64.28.67.150 slashdot.org" in my hosts file, so if anything goes wrong with the DNS system, I'll be able to read about it on slashdot.
        • Re:And... (Score:4, Insightful)

          by joshuac (53492) on Tuesday October 22, 2002 @08:48PM (#4509342) Journal
          ...and you will be left scratching your head when Slashdot seemingly goes offline for an extended period of time.

          hint: read the last paragraph of Cmdrtaco's last journal.

          just run a local DNS cache; if something is unreachable, you have the cached entry to work off of. When changes are made, you get the update automatically.
      • DNS (Score:4, Funny)

        by commodoresloat (172735) on Tuesday October 22, 2002 @10:14PM (#4509779)

        We can have the internet without dns, but we cannot have dns without the internet

        Why would we want DNS without the Internet?

    • Re:And... (Score:5, Funny)

      by Jonny Ringo (444580) on Tuesday October 22, 2002 @07:53PM (#4508971)
      If there's a nuclear war the fucking internet is going to be the least of my worries. e-commerce, Web services, and xml can all kiss my ass.

      Oh my my face is burning off, and I thirsty like a mother grabber.. I hope the internet is still up, oh hey look there goes a cockroach.

      • Yeah... (Score:4, Insightful)

        by Nindalf (526257) on Tuesday October 22, 2002 @08:05PM (#4509063)
        ...everyone knows that communication infrastructure is a meaningless luxury, especially during a war or after a huge disaster.
      • Re:And... (Score:5, Funny)

        by Tablizer (95088) on Tuesday October 22, 2002 @09:11PM (#4509479) Homepage Journal
        If there's a nuclear war the fucking internet is going to be the least of my worries. e-commerce, Web services, and xml can all kiss my ass.

        Well, if it does happen, I hope they finish them off. Otherwise, the cockroaches may try to revive XML and web services based on an acheological dig in a few hundred-million years. Then again, lets punish the little bastards for infesting our kitchens. Let them suffer dumb tech bubbles and useless fads afterall.

    • Re:And... (Score:5, Informative)

      by Zeinfeld (263942) on Tuesday October 22, 2002 @08:37PM (#4509278) Homepage
      it's supposed to withstand a nuclear war?

      Actually that is an Internet myth. Look at the IETF RFCs, the first ocurrence of the word 'Nuclear' is several decades after the Internet was created.

      The DNS cluster is designed with multiple levels of fault tolerance. In particular the fact that the DNS protocol causes records to be cached means that the DNS root could be switched off for up to a day before most people would even notice.

      The root cluster is actually the easiest to do without. There are only 200 records. In extremis it would be possible to code them in by hand. Or more realistically we simply set up an alternative root and then use IP level hacks to redirect the traffic. The root servers all have their own IP blocks at this stage so it is quite feasible to have 200 odd root servers arround the planet accessed via anycast.

      The article does not mention which of the servers stayed up apart from the VeriSign servers. However those people who were stating last week that the .org domain can be run on a couple of moderately speced servers had better think again. The bid put in by Paul Vixie would not have covered a quarter of his connectivity bill if he was going to ride out attacks like this one.

    • Re:And... (Score:5, Insightful)

      by erpbridge (64037) <steve@erpbridEULERge.com minus math_god> on Tuesday October 22, 2002 @10:40PM (#4509895) Journal
      Yes, the Internet was designed to withstand a nuclear war on the surrounding world. However, a few things are different now than what that original design was for:

      1) This was not an attack on the surrounding world. This was an attack on the network itself, from inside the network itself.

      2) The Internet was designed to be able to route around problems in a specific global region (nuclear war) by having each node or site have connections to multiple other nodes, creating a redundancy that would be almost impossible to get around (at worst case, you could try to route a region through someone's 56K if that region's main providers went down). This redundancy is nowhere near what it should be.

      Also, the amount of nodes is magnitudes greater than the original founders ever thought of. The number of sites when that was said was around 20-30, and it was fairly easy for most of them to connect to each other and form a semi-mesh network.

      3) Dependance on centralized services. This attack was on one of the Internet's centralized services, the Alliance of 13 (DNS root servers). With a limited number of root DNS servers, it's easy to point to somewhere and say "There's the weakness, let's hit it". The root DNS servers are a balance between complexity (having more than one root server takes time to propogate complete changes amongst all of them) and redundancy (having only one or a few servers makes an even more vulnerable point than the Alliance of 13).

      Another major weakness is the continental backbones (for example, North America has the East Coast, West Coast, and transcontinental backbones) and their switching stations, like MAE East and West. Imagine if someone was able to take out all of MAE East in one shot, how crippled most of the Internet would be, for at least 12-36 hours while the alternate routing was put in place.
  • DDOS? (Score:4, Funny)

    by sgtron (35704) on Tuesday October 22, 2002 @07:41PM (#4508849)
    Is that why my porn streaming was slow yesterday?
  • Watch Out! (Score:4, Funny)

    by Anonymous Coward on Tuesday October 22, 2002 @07:42PM (#4508864)
    It's the RIAA and they're pissed!

    Everyone! Run for your lives, Jackie's comin!
  • ...when someone calls up and says "Is the internet down?" you can finally say, "It was." not just to simplify it to the level that your callers can understand, but because its the truth.
  • by seanadams.com (463190) on Tuesday October 22, 2002 @07:44PM (#4508880) Homepage
    I mean jeeze, only 4 or 5 out of 13 survived according to the WashPost.

    I'd say this just goes to show how reliable the root name servers are. I didn't notice any dns problems yesterday. In fact, I don't remember any root name server problems since the infamous alternic takeover.
    • by kennylives (27274) on Tuesday October 22, 2002 @07:52PM (#4508958) Journal
      FWIW, I did see massive problems. I had done a Google search for mountain bikes, and only 1 in 5 sites would resolve. I popped open a terminal window to cross-check some of the failing queries against a different nameserver, and nslookup/dig would hang or timeout on the ones that Mozilla had a problem with. Very annoying, to say the least.

      Twenty minutes later, though, everything seemed fine, and the sites that wouldn't resolve earlier finally did. I wondered if something... erm.. unusual was going on, and it looks like there was...

      As always, your mileage will undoubtedly vary...

    • by Anonymous Coward on Wednesday October 23, 2002 @03:11AM (#4510901)
      I'd say this just goes to show how reliable the root name servers are.
      I'd say this just shows how reliable the Washington Post is.

      If you believe this article [com.com] on news.com [com.com], it looks more like a storm in a glass of water.

      Quote: the peak of the attack saw the average reachability for the entire DNS network dropped only to 94 percent from its normal levels near 100 percent.
  • And...? (Score:3, Funny)

    by Anonymous Coward on Tuesday October 22, 2002 @07:44PM (#4508886)
    Anything that is so important that it can't be disturbed during transmission is already taken off the Internet and on its own network cable.

    You don't think the military puts any critical systems on the Internet, do you?
  • 13 servers (Score:3, Funny)

    by dirvish (574948) <dirvish.foundnews@com> on Tuesday October 22, 2002 @07:44PM (#4508890) Homepage Journal
    From the article: "UUNET is the service provider for two of the world's 13 root servers. A unit of WorldCom Inc., it also handles approximately half of the world's Internet traffic." Only two servers for half the world's internet traffic? That is scary. What are the specs on those babies?
  • Well there we go! (Score:4, Interesting)

    by MattCohn.com (555899) on Tuesday October 22, 2002 @07:45PM (#4508899)
    If the servers can withstand the attack without going compleatly down, I guess they know they did something right.

    Article:
    "Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected, experts said."

    All I can say is that if you think of this as a test, I'm happy it passed.

    (Insert joke about Beowulf cluster of DDOS attacks / the servers ability to withstand the slashdot effect.)
    • Re:Well there we go! (Score:5, Interesting)

      by Grit (18830) on Tuesday October 22, 2002 @08:27PM (#4509211) Homepage

      The attackers were idiots. They used ICMP echo requests (easily filterable, since the DNS servers don't _have_ to answer those) and quit after an hour. More publicity stunt than actual attempt to damage, IMNSHO.

      I've been trying to publish a paper about exactly this (and how to redesign DNS to avoid the vulnerability) and I'm just pissed that they didn't tell me in advance so that I could do some measurements. :)

  • by Indomitus (578) on Tuesday October 22, 2002 @07:46PM (#4508905) Homepage Journal
    This attack has generally been considered "piddly and unintelligent" according to people who are actually in charge of running things on the net. Here's a good quote from the NANOG mailing list:

    "when uunet or at&t takes many customers out for many hours, it's not a problem
    when an attack happens that was generally not even perceived by the users, it's a major disaster
    i love the press"

    With something like the root nameservers, if it was an important attack, you would have noticed. I run an ISP and we had zero complaints, even from the Everquest whiners who complain at the drop of a hat about anything.
  • Ah ha. (Score:4, Funny)

    by puppetman (131489) on Tuesday October 22, 2002 @07:50PM (#4508934) Homepage
    Now I know why my Tribes 2 experience lagged last night.

    I'm going to beat the crap out of that 12-year-old as soon as I find him; he made me look like I had no skillzzz.
  • by nweaver (113078) on Tuesday October 22, 2002 @07:50PM (#4508940) Homepage
    The root DNS servers are required to go from the TLD to the actual TLD's nameservers, eg to go from ".com" to the .com root nameservers. As a result, although critical, their results are cached with very, VERY long cache timeouts (TLD DNS servers seldom change).

    Thus the hour long attack was not enough to meaningfully disrupt things, as most lookups would not require querying the root, unless you were asking for some oddball TLD like .su.

    Change the attack to be several hours, or a few days, and then cache entries start to expire and people are unable to look up new domain names. But that attack would be harder to sustain, as infected/compromised machines could be removed.

    It is an interesting question who or how this was achieved. THere seems to be a lot of scanning for open windows shares (Yet Another Worm? Who knows) also going on in the past couple of days, but there is no clue if it is related.

    • by billstewart (78916) on Tuesday October 22, 2002 @09:11PM (#4509478) Journal
      It's not just caching the pointers from . to .com or .zr, it's the caches of the 2LD names in .com that matter. (.org and .net are important, but .com is the really annoying failure. And country-code name service gets handled elsewhere, though taking down .co.uk might be a target also.)

      For the most common 2LD names, any major ISP will have cached the addresses for them, and won't need to hit the .com server until the typical 1-week or 24-hour cache timeout periods. If your nameserver is ns.bigisp.net, somebody there will have looked up google.com in the last 2 seconds, even though nobody at your ISP has looked up really-obscure-domain.com this week - but even that one may be in the cache because some spammer was out harvesting addresses. An obvious scaling/redundancy play for the root servers and for the major ISPs would be to have them cache full copies of the root server domains to keep down the load and reduce dependency. It's not really that much data - 10 million domains averaging 30 characters for name and IP addresses is only half a CD-ROM. An interesting alternative trick would be for the Tier 1 ISPs to have some back-door access to root-level servers for recursive querying.

  • by Wee (17189) on Tuesday October 22, 2002 @07:52PM (#4508951)
    ...but it needs saying: Patch your damn machines. Install a virus scanner if you run Windows and run a firewall on *any* machine hooked directly to the Net.

    I'd love to see a breakdown of what networks the attacks came from and what the OS distribution was... pie charts optional.

    -B

  • Test run (Score:3, Insightful)

    by QueenOfSwords (179856) on Tuesday October 22, 2002 @07:52PM (#4508957) Homepage
    Well we can laugh about it now (What DOS? my instinct when I read about this was to flip the unsuccessful hax0rs the bird) but my concern is that this could be a test run for something more unpleasant.
    Maybe to cause a false sense of security, maybe to analyse how those crucial networks cope with DOS attacks so as to be more successful next time.
    Whether these people were Bin Laden's boys or garden variety hax0rs don't get too comfortable. The worst is yet to come.
  • Sophisticated? (Score:5, Insightful)

    by wsloand (176072) on Tuesday October 22, 2002 @07:53PM (#4508973)
    The heart of the Internet sustained its largest and most sophisticated attack ever

    I've never considered DDOS all that sophisticated myself. It's seems to me that "wow a script kiddie got more systems under his control than usual" more than "a great cracker is on the loose". Though I suppose if it were a great cracker then they could have been proving themselves by predicting the attack.
    • by billstewart (78916) on Tuesday October 22, 2002 @11:24PM (#4510111) Journal
      The first time a given technique gets used, it may be sophisticated, but after that it's often just script kiddiez. Some attacks are pretty crude, just borrowing a few thousand 0wned machines and slashdotting a victim, but some DOS attacks really do use some insight and then use the distributed attack as a lever, or as a way to hide the source of the attack. The clever attacks look for the critical resources on the target machine and tie those up. Sometimes that's something like the TCP SYN attacks which create half-open sessions to clog tables, but those can be easier to block, and they often depend on forged source addresses, which can be traced by a persistent ISP. Other attacks look more like brute force - find the asymmetrically resource-intensive part of a real transaction (like doing CPU-burning digital signatures, or downloading a really big file or causing some thrashy database lookup) and flooding that with lots of real transactions from your zombies, which is harder to block without also blocking real transactions from real users. In some cases, the crude attacks also work well because the fix requires applications programming so it's not something your ISP or router can just block for you.

      But, yeah, some of the attacks aren't much different than using a loudspeaker to announce "Free Beer at Victim.com"

  • OMG OMG (Score:4, Funny)

    by Doctor Sbaitso (605467) on Tuesday October 22, 2002 @07:55PM (#4508988) Journal
    I know I shouldn't have pressed this button [turnofftheinternet.com]...
  • by Bobulusman (467474) on Tuesday October 22, 2002 @07:55PM (#4508990)
    Which could happen if these guys tried again:

    We'll have to rely on IP addresses, obviously, so start changing your bookmarks now!

    http://64.28.67.150/index.pl
    instead of
    http://slashdot.org/index.pl

    :)
  • And...? (Score:5, Insightful)

    by m0i (192134) on Tuesday October 22, 2002 @07:55PM (#4508992) Homepage
    Despite the scale of the attack, which lasted about an hour, Internet users worldwide were largely unaffected, experts said.
    Indeed, no traffic slowdown, no more than usual support calls. The system works as expected, even under attack.

    Worth a read: Caida DNS analysis [caida.org], and more specifically those graphs [caida.org]. It would be interesting to know which DNS sustained the attack, in regard to the graphs.
  • by ehiris (214677) on Tuesday October 22, 2002 @08:01PM (#4509031) Homepage
    Maybe they were attacking root servers but those server failing couldn't cause all the DNS records to get lost. Some people might have had temporary problems, some might have not.

    If you really want to, build your own root server [ipal.net]
  • I work for JPNIC (Score:4, Informative)

    by Anonymous Coward on Tuesday October 22, 2002 @08:02PM (#4509043)
    Hi,

    I'm at JpNIC & JPRS we manage the Japanese servers here. The attack progressed through our networks and effected 4 of our secondary mapped servers (these servers are used as a backup and in no way are real root servers). The servers were running a suite of Microsoft products (Windows NT 4.0) and security firewall by Network Associates.

    Here is a quick log review:

    Oct20: The attackers probed our system around 2100 hours on Oct 20 (Japan). We saw a surge in traffic onto the honeypot (yes these backups are honeypots) systems right around then.

    2238: We saw several different types of attacks on the system, starting with mundane XP only attacks (these were NT boxes). We then saw tests for clocked IIS and various other things that didnt exist on our system.

    2245: We saw the first bind attacks, these attacks were very comprehensive. We can say they tried every single bind exploit out there. But nothing was working.

    Attacks ended right then.

    Then on the 22nd they resumed (remember we are ahead)

    22nd: A new type of attack resumed. The attack started with port 1 on the NT box, we have never seen this type of attack and the port itself responding was very weird. Trouble started and alarms went off, we were checking but couldnt figure out what happend, then we saw a new bind attack. The attack came in and removed some entries from bind database (we use oracle to store our bind data)..

    The following entries were added under ENTRI_KEY_WORLD_DATA ::

    HACZBY : FADABOI
    CORPZ : MVDOMIZN HELLO TO KOTARI ON UNDERNET

    Several other things were changed or removed.

    Till now, we have no idea what the exact type of hack this was, we are still looking into this. The attack calls himself "Fadaboi", and has been seen attacking other systems in the past.

    We are now working hard with network solutions.

    Thank you.

    • Re:I work for JPNIC (Score:5, Informative)

      by irregular_hero (444800) on Tuesday October 22, 2002 @08:13PM (#4509116)
      If you want to see in gory detail what a DDOS attack looks like in relation to what NORMALLY happens to these servers, try here [root-servers.org]. Notice the really big spike. As if you could miss it.
    • Re:I work for JPNIC (Score:5, Interesting)

      by Mike Schiraldi (18296) on Tuesday October 22, 2002 @08:35PM (#4509266) Homepage Journal
      HACZBY : FADABOI
      CORPZ : MVDOMIZN HELLO TO KOTARI ON UNDERNET


      Well, this shouldn't take the FBI long. A quick Google search shows that Undernet's Kotari owns the domain www.kotari.com, which he's recently taken down but still shows whois records..
    • by Kragg (300602) on Tuesday October 22, 2002 @08:42PM (#4509305) Journal
      The attack came in and removed some entries from bind database (we use oracle to store our bind data)..

      Unbreakable.
    • Running NT and BIND? (Score:5, Interesting)

      by Inoshiro (71693) on Tuesday October 22, 2002 @08:48PM (#4509339) Homepage
      Why?

      It's really easy to setup a system which dumps your SQL database out to a TinyDNS file [www.fefe.de]. TinyDNS [cr.yp.to] is provably secure software. I would expect that you would use it on the root servers, since it's designed to work at very high levels of output/uptime, and be attack resistant to the point of being attack proof.

      Say what you will about D. J. Bernstein [cr.yp.to], he does have a very capable DNS solution [cr.yp.to] available.
  • by moosesocks (264553) on Tuesday October 22, 2002 @08:06PM (#4509073) Homepage
    In other news, Slashdot posted a story about the internet yesterday. as a result, the internet had been completely obliterated within 5 minutes.
  • by kir (583) on Tuesday October 22, 2002 @08:09PM (#4509090) Homepage

    A certain mil/gov organization I consult with was jumping through their own asses worried about this. The funny thing is, ummm... NOTHING CHANGED! We experienced NOTHING. I think they wanted us to do something... ANYTHING.

    You know... next time this happens, I'm setting up my own root servers... errr... wait...

  • Can you say "SPIKE"? (Score:4, Informative)

    by irregular_hero (444800) on Tuesday October 22, 2002 @08:17PM (#4509150)
    I think I can. The US Army-operated root server looks like it took the brunt of the attack [root-servers.org], as opposed to the JPNIC servers, which seem to have had a much lower rate [root-servers.org] (perhaps because most of the attacking hosts were US-based?).
  • by Shamanin (561998) on Tuesday October 22, 2002 @08:20PM (#4509166)
    "The Domain Name System (DNS), which converts complex Internet protocol addressing codes..."

    And I suppose the person who wrote this article would consider arithmetic a complex system of digits and symbols.
  • mrtg charts (Score:4, Informative)

    by Cally (10873) on Tuesday October 22, 2002 @08:29PM (#4509225) Homepage
    Links courtesy of Sean Donelan.

    Root-servers.net [root-servers.net]
    The legendary cymru.com data. [cymru.com]

    I haven't looked yet but LINX mrtg charts might show something interesting. [linx.net]

    Of course, even if someone could knock all the root servers over, the net as we know it wouldn't stop working instantly. That's what the time to live value is for :)

  • Traffic Stats (Score:5, Informative)

    by HappyPhunBall (587625) on Tuesday October 22, 2002 @08:33PM (#4509254) Homepage

    The stats for the h.root servers are available for the time period [root-servers.org] of the attack. Seems as though the h servers were taking in close to 94Mbits/second for a while.

    More links to server stats can be found at Root Servers.org [root-servers.org] and some background is available at ICANNWatch [icannwatch.org].

  • by Kiwi (5214) on Tuesday October 22, 2002 @08:44PM (#4509320) Homepage Journal
    I did notice that DNS resolutions were taking a little longer than usual and that there were slightly more resolving issues than normal; I also noticed that 198.41.0.4 (a.root-servers.net) was not replying to DNS queries. The OSRC [open-rsc.org] root name servers (which I normally use) were perfectly functional, however.

    I only noticed it because I use my own DNS server [maradns.org] to resolve requests; and pay close attention whenever I see any problems resolving host names (there is the possibility of it being a bug with my software).

    The person who orchastrated this attack is not very familiar with DNS. Attacking the root name servers is not very effective; all the root servers do is refer people to the .com, .org, or other TLD (top-level-domain) name servers. Most DNS servers remember the list of the name servers for a given TLD for a period of two days, and do not need to contact the root servers to resolve those names. While some lesser-used country codes may have had slower resolution times, an attack on the root servers which only lasts an hour can not even be felt by the average end user.

    In the case of MaraDNS, if a DOS (denial of service) is happening against the root servers, MaraDNS will be able to resolve names (albeit more slowly for lesser-used TLDs) until every single root server is sucessfully DOS'd.

    - Sam

  • by mooman (9434) on Tuesday October 22, 2002 @09:35PM (#4509594) Homepage
    Original Washington Post article was: "Attack On Internet Called Largest Ever"

    Followup article, after slashdot story, was: "Attack on Washington Post Called Largest Ever".

    Ah.. behold the mighty power of /.

  • by Joey7F (307495) on Tuesday October 22, 2002 @10:09PM (#4509761) Homepage Journal
    A warrant

    --Joey

Time sharing: The use of many people by the computer.

Working...